How do credentialed scans work?

There are four main types of scans that are possible with Alert Logic®:

Externalscans represent the view an external attacker would have on your environment to provide an understanding of what can be known about your environment from outside your firewalls. These scans are run from the Alert Logic data centers.

PCIscans are similar to external scans but run additional web application scans and a specific set of PCI-focused tests. These scans are run from the Alert Logic data centers.

Internalscans represent the view an internal attacker would have within your environment to provide an understanding of what can be known about your internal networks without having any special privileges. These scans are run from the Alert Logic appliances.

Credentialedinternalscans are the most comprehensive type of scan. They typically generate the most accurate assessment of real vulnerabilities that may exist on a device. These scans are run from the Alert Logic appliances.

When a credentialed scan runs, we attempt to understand what hosts are live within the scan range. Based on the operating systems detected, the credentials are applied when relevant destinations are reached. For instance, the scanner can uncover security vulnerabilities from Microsoft operating systems with or without credentialed scans, but more details and a deeper assessment can be achieved by additional tools successfully running, many of which depend on the ability to authenticate to the destination host. The decision on what tools to run is an iterative process based on previous responses to tests - if we detect a specific OS, we run the tools for that OS; if we detect an application, we run the tools for that application; if we detect a specific port, we run the tools for that port. Therefore, adding SNMP, SSH, or Windows Active Directory credentials to a scan will lead to a more comprehensive result, but will also take more time to complete.

Scan configuration in the Alert Logic console contains the option to add credentials to scans, but credentials are not required to initiate scans.

For the Alert Logic Cloud Defender™ suite, credentials are encrypted with customers' individual private 2048-bit RSA key. The encrypted password is stored in Cloud Defender, within which neither Cloud Defender nor any administrator can decrypt. The private key is stored in the FusionVM scanning engine and is used to decrypt the password just before it is submitted to the target OS for authentication.